danilop / lambdauth Goto Github PK

Hi there

How is the developer provider id used? In your example its "login.mycompany.myapp", i used my own. I get an issue when logging in after successfully creating a user: "This identity pool does not support the specified developer provider".

I checked the pool in cognito it has the right provider name i gave. What is the "specified developer provider"?

Thanks

I have an application where I let my users upload their files to AWS S3. If I understand correctly, I need to request the secret access key from the Amazon Cognito credentials provider when they log in, instead of embedding it in my code. What would be the process for requesting it, when authenticated with LambdAuth?

`Updating function LambdAuthChangePassword begin...
updating: index.js (deflated 68%)
updating: config.json (deflated 43%)
usage: aws [options] [parameters]
aws: error: argument command: Invalid choice, valid choices are:

autoscaling | cloudformation
cloudfront | cloudsearch
cloudtrail | cloudwatch
datapipeline | directconnect
dynamodb | ec2 `

After installing, no users were able to sign up.
Page displays 'user Not created', when looking at the CloudWatch logs for the LambdAuthCreateUser function, I found this error:

2016-10-05T18:15:38.131Z b72f1452-8b27-11e6-a0ef-3f70cb5b1481
{ "errorMessage": "Error in sendVerificationEmail: MessageRejected: Email address is not verified. The following identities failed the check in region US-WEST-2: [email protected]"}

Recipients of the verification email, that is the end users, should not have to be registered on SES for it to send them email.

When trying with a registered account, it worked the first time, then the second one I got this other error:

2016-10-05T18:19:17.803Z 3a41c422-8b28-11e6-969a-41fcce75977a
{"errorMessage": "Error in sendVerificationEmail: InvalidParameterValue: Domain ends with dot"}

This user had the same domain as I did and had entered its address correctly

I got successfully login with IdentityId: us-east-1:b2a3caea-e58b-41b7-bxxxxxx. How can i use it to access restricted contents?

Line 94 of LambdAuthLogin/index.js simply check equality using 'hash == correctHash' but this is will make the function execution time be dependent on the number of correct characters in the hash. For more details on this vulnerability: http://codahale.com/a-lesson-in-timing-attacks/
I would recommend just creating a constant time equality check on the hashes that checks every character individually.

We are implementing this project into our application (front end is a Unity3D desktop/mobile app), can anyone comment on the security of the accounts information using this code?

My team and I have been building our sales listing app for months, and it is now in beta and has hundreds of thousands of users. We are close to implementing this LambdAuth example project in to provide our users a way to register and log in, but are concerned about potential security issues, as our users accounts may contain sensitive information. Does further encryption work need to be done in addition to this project to provide a reasonable amount of password security to users?

I get the following error when trying to signup through the browser.

errorMessage: "EACCES, permission denied '/var/task/index.js'", errorType: "Error", stackTrace: Array[7]}

Hi Danilo,

Nice repo! :)

However, I can't seem to get it working on my AWS account. I keep getting the following error even on the sigup page:

"InvalidIdentityPoolConfigurationException: Missing credentials in config"

http://lambdauth.lucas-canavan.net/signup.html

Any ideas???

Thanks,
Lucas

Hi, this is my first time working with AWS. I am getting an error right away when I run the init file.

make_bucket failed: s3://bucketlambd/ 'NoneType' object has no attribute 'get_frozen_credentials'

Then after that everything says:
'NoneType' object has no attribute 'get_frozen_credentials'

Did I miss something in the instructions?

Thanks
Tona

On the sign up form I'm getting back this error:

{"Message":"User: arn:aws:sts::009825708026:assumed-role/Cognito_toadkicker_poolUnauth_Role/CognitoIdentityCredentials is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-1:009825708026:function:LambdAuthCreateUser"}

Reviewing IAM it seems the policies were attached as expected. Where else can I look?

I am trying out this repo on a small side project, and I might get around to a PR, but I wanted to to flag this for anyone thinking of using this repo and/or working on their own PR request.

In my testing I could not register the same email twice (good), but there was no indication to the user that this was the case. It wasn't in CloudWatch either but since that doesn't seem like an application error to me I might opt to leave it out as well.

Hi there,

I just tried the sample application you have (thanks for that) and I signed up using an email address that contains a plus. The format being: [email protected]

I recieved the verification email, clicked the link, but the verification failed. I am guessing it is the plus character because it was not URL encoded in the verification link.

Hello. I have followed the instructions you wrote but I am getting an error:

Sync www content with S3 bucket bucketname begin...
Unknown options: bucketname
Sync www content with S3 bucket bucketname end

Thanks for a great package. I am wondering if you have any guidelines/tips for a beginner to implement the APIs in iOS? Any tip or push in a direction is appreciated!

Thanks

On line 96 of init.sh it looks like $AWS_ACCOUNT_ID in roles cannot be replaced because of the single quotes being used.

Should it instead be something like this?

roles="{"unauthenticated":"arn:aws:iam::$AWS_ACCOUNT_ID:role/$unauthRole","authenticated":"arn:aws:iam::$AWS_ACCOUNT_ID:role/$authRole"}"

When I use my modified version I get this echo output.

Roles: {"unauthenticated":"arn:aws:iam::xxx:role/Cognito_LambdAuthUnauth_Role","authenticated":"arn:aws:iam::xxx:role/Cognito_LambdAuthAuth_Role"}

This might be a questionable place to ask this question but since it is specific to this framework, I thought I'd ask here. I'm having trouble knowing what to do after receiving the login token to transition my user into the authenticated role. I'm using the AWS Mobile SDK for iOS and writing my client app in Swift. The full details of my problem are listed here - http://stackoverflow.com/questions/38976295/aws-lambda-cognito-authentication-assuming-auth-role

Any guidance would be appreciated - thank you.

$ ./init.sh 
setting session CLI profile to null
Traceback (most recent call last):
  File "/usr/local/bin/aws", line 27, in <module>
    sys.exit(main())
  File "/usr/local/bin/aws", line 23, in main
    return awscli.clidriver.main()
  File "/usr/local/aws/local/lib/python2.7/site-packages/awscli/clidriver.py", line 50, in main
    return driver.main()
  File "/usr/local/aws/local/lib/python2.7/site-packages/awscli/clidriver.py", line 176, in main
    parser = self._create_parser()
  File "/usr/local/aws/local/lib/python2.7/site-packages/awscli/clidriver.py", line 157, in _create_parser
    command_table = self._get_command_table()
  File "/usr/local/aws/local/lib/python2.7/site-packages/awscli/clidriver.py", line 91, in _get_command_table
    self._command_table = self._build_command_table()
  File "/usr/local/aws/local/lib/python2.7/site-packages/awscli/clidriver.py", line 111, in _build_command_table
    command_object=self)
  File "/usr/local/aws/local/lib/python2.7/site-packages/botocore/session.py", line 684, in emit
    return self._events.emit(event_name, **kwargs)
  File "/usr/local/aws/local/lib/python2.7/site-packages/botocore/hooks.py", line 227, in emit
    return self._emit(event_name, kwargs)
  File "/usr/local/aws/local/lib/python2.7/site-packages/botocore/hooks.py", line 210, in _emit
    response = handler(**kwargs)
  File "/usr/local/aws/local/lib/python2.7/site-packages/awscli/customizations/preview.py", line 71, in mark_as_preview
    service_name=original_command.service_model.service_name,
  File "/usr/local/aws/local/lib/python2.7/site-packages/awscli/clidriver.py", line 349, in service_model
    return self._get_service_model()
  File "/usr/local/aws/local/lib/python2.7/site-packages/awscli/clidriver.py", line 366, in _get_service_model
    api_version = self.session.get_config_variable('api_versions').get(
  File "/usr/local/aws/local/lib/python2.7/site-packages/botocore/session.py", line 259, in get_config_variable
    elif self._found_in_config_file(methods, var_config):
  File "/usr/local/aws/local/lib/python2.7/site-packages/botocore/session.py", line 280, in _found_in_config_file
    return var_config[0] in self.get_scoped_config()
  File "/usr/local/aws/local/lib/python2.7/site-packages/botocore/session.py", line 352, in get_scoped_config
    raise ProfileNotFound(profile=profile_name)
botocore.exceptions.ProfileNotFound: The config profile (null) could not be found

and this error is shown a million times in the bash whenever ./init.sh is invoked.

When running init.sh I repeatedly get these errors for every folder in the main folder:

Error parsing parameter '--zip-file': Unable to load paramfile fileb://LambdAuth
VerifyUser.zip.zip: [Errno 2] No such file or directory: u'LambdAuthVerifyUser.z
ip.zip'
Creating function LambdAuthVerifyUser.zip end
F:[mydirectory]\LambdAuth-master\LambdAuth-master\init.sh: line 144: ./deploy.sh: No such file or directory

I've tried running it in Windows 7 and Ubuntu 12.04 LTS

hello,
not really an issue but i noticed if i edit one of the lambda functions with the inline editor, it stoped to work.
the log complains that it cant locate config.json.
I will need to edit the src and redeploy in order to make any changes whitch is kinda slow..
any workarounds ?

./cleanup.sh
Starting cleanup.
Loading config parameters
Removing IAM Roles
Removing Cognito Identity Pool
usage: aws [options] [ ...] [parameters]
To see help text, you can run:

aws: error: argument --identity-pool-id: expected one argument

does anyone know what I might be doing wrong here ?

{ "errorMessage": "Error in sendVerificationEmail: MessageRejected: Email address is not verified. The following identities failed the check in region US-WEST-2: [email protected], [email protected]" }

So I 'm very new to all this. This is exactly what I was looking for though.

After managing to set it all up. When I then surf to the bucket url and attempt to sign in it comes back with "User not created.". If I look in the DynamoDB table I can see that the user I attempted to Sign Up with is all saved in there. But if I then try to log in with it, it says Can't log in. So something is not working. I presume it's some sort of permission problem, although, not sure why it then does indeed manage to save the user record in the db.

Is there any log to read somewhere with errors?

I'm very new to AWS coming from Parse, so any guidance is much welcome.

I think the description should cover this one.

Hi,

If you delete email field from the sample authentication sign up page and click submit with it looks like server does not check that. If the field is empty application should require user to fill it.

https://sampleauth.eventdrivenapps.com/signUp.html

Thanks

My init script runs perfectly fine without any errors but when I go back to view all my resources created in aws console, I am unable to locate my cognito pool in the console

https://console.aws.amazon.com/cognito/home?region=us-east-1

I even see the Identity pool ID in the cli logs

Can someone help me debug this issue or point me in the right direction please? I have been banging my head all night on this and no results.

Edit :

I find the LambdAuth pool being created under my federated identities section.

Can someone guide me how to create under user pools and not under federated identities ?
Or am I doing something really wrong ?

Cheers,

I am adapting this for ios/moblie. How long does the session last? In AWS iOS SDK, do I need to use these two functions:

• (AWSTask *)refresh
  and
• (AWSTask *)getIdentityId
  or is this good enough: http://docs.aws.amazon.com/mobile/sdkforios/developerguide/getting-started-lambda.html

When registering an email with [email protected], [email protected] doesn't match when requesting a forgotten password

for some reason when I try to run init.sh some of the stuff like (dynamo db and identiy pool) gets created but when it tries to create the roles and function then it fails with a message for each role. could not connect to the endpoint 'https://iam.us-east1.amazonaws.com'

Is it possible to have a init setting that would create this architecture without the email verification?

After signing up there - no email even when the email is verified and screen confimation is given - perhaps somehow related to the previous problem of the install process - InvalidParameterValueException

Hello,

Can u implement it without invoking lambda functions? I mean, just only ajax request and header based authorization.

Hey,

I was wondering what the developers here would think about moving this into a serverless project (in particular, a project that is usable under the serverless framework here http://serverless.com/). It would probably simplify a lot of the config and deploying that we have here.

What would you guys think about that? I'm probably going to make a fork of it myself into a serverless project anyway for what I need to get done. Would that be something you would want to integrate into mainline?

Thanks.

Hello. I am a beginner is aws. I followed the steps from https://github.com/danilop/LambdAuth/issues/30

Then followed the main readme but when I run init.sh I get alot of following errors:

raise ProfileNotFound(profile=profile_name)
botocore.exceptions.ProfileNotFound: The config profile (null) could not be found

Commands in the init script should end with || exit 1 so that the script doesn't continue after a failure.

What is the best way to renew the token?

I was able to use LambdAuth in my own sample application, but I need to enter my password every 15 minutes to get a new token if I want to continue using the application after that time period. The sample application only performs a single operation with a successful login, so it doesn't seem to address this issue.

I want to replicate the behavior of most secure applications, like a bank web page, allowing continuous usage, but automatically logging the user out after a period of inactivity.

Am I correct in assuming that I would need to write a new function, similar to LambdAuthLogin, but it would require an authenticated user with a valid token, and it would return a new token with an extended duration? Then my application would make sure to call that function and change the token before the existing token expires?

Am I missing an easier solution? Are there security implications to my suggested implementation, or a better approach?

Matasano recommends using at least 86000 iterations of PBKDF2-SHA256 in 2015.

When installing got the error:

An error occurred (InvalidParameterValueException) when calling the CreateFunction operation: The role defined for the function cannot be assumed by Lambda.

I think this is related to LambdAuthResetPassword

Everything else seems to have worked correctly but I'm getting this error which I can't figure out. Seems to be a duplicate of #4, but he doesn't really explain how he solved it.

A client error (NotAuthorizedException) occurred when calling the SetIdentityPoolRoles operation: Access to Role 'arn:aws:iam::****-****-****:role/Cognito_LambdAuthUnauth_Role' is forbidden. 

And I believe because of it I get many errors when creating the Lambda calls

A client error (ValidationException) occurred when calling the CreateFunction operation: 1 validation error detected: Value 'arn:aws:iam::****-****-****:role/LambdAuthChangePassword' at 'role' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:aws:iam::\d{12}:role/?[a-zA-Z_0-9+=,.@\-_/]+

A client error (ValidationException) occurred when calling the CreateFunction operation: 1 validation error detected: Value 'arn:aws:iam::****-****-****:role/LambdAuthCreateUser' at 'role' failed to satisfy constraint: Member must satisfy regular expression pattern: arn:aws:iam::\d{12}:role/?[a-zA-Z_0-9+=,.@\-_/]+

Is there something I need to setup in IAM roles?

Hi,

Is there a guide or step by step how to instruction to deploy this in aws? If not may i suggest to put few lines as in how to get this up and working in aws.

Ok Since I read something about lambda by now I understood few things, I am listing it here so that it might help, someone like me.

Install aws CLI

• Check if the python is already installed by using $ python --version
• Download CLI by $ curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip"
• UnZip CLI by $ unzip awscli-bundle.zip
• Install CLI by $ sudo ./awscli-bundle/install -i /usr/local/aws -b /usr/local/bin/aws
• check if the CLI is installed correctly by $ aws --version

Configure CLI

• Configure CLI with $ aws configure
• Put the AWS Access Key ID when asked
• Put the AWS Secret Access Key when asked
• Put Default region name when asked
• Put Default output format, press enter to keep the default which is JSON

Install jq

• Install jq on mac by brew install jq

More details of installing aws CLI can be found here, more details on installing jq can be found here.

Roles
Your user configured in CLI should have below policies at-least to execute init.sh

• AWSLambdaDynamoDBExecutionRole
• AmazonCognitoDeveloperAuthenticatedIdentities
• AWSLambdaExecute
• AWSLambdaInvocation-DynamoDB

The email address in config.json must be verified in aws SES so that you can send verification mails else the user sign up/creation fails.

Once done you should be able to use the instruction as provided in READ ME. Last but not least the config.json details must be 100% correct.

BR

Hi,

I had some success today getting this working but then I cleared everything out and reinitialised ... now I get an error executing LambdAuthCreateUser. I have spent way too long trying to work out what is going wrong but it seems that it isn't picking up the correct policy that allows LambdAuthCreateUser to write to the DynamoDB. But I can't see what policies it HAS picked up only what it SHOULD pick up. The policy simulater reports no issues, so it's nothing obvious.

Do you have any thoughts?

A.

Hello, I followed all the instructions but am getting these errors, please help:

Last login: Fri Jun 10 15:27:39 on ttys000
Dans-MacBook-Pro:~ Dan$ /Users/Dan/Downloads/LambdAuth-master/init.sh
make_bucket failed: s3:/// Parameter validation failed:
Invalid bucket name "": Bucket name must match the regex "^[a-zA-Z0-9.-_]{1,255}$"

Creating DynamoDB Table begin...
usage: aws [options] [ ...] [parameters]
To see help text, you can run:

aws help
aws help
aws help
aws: error: argument --region: expected one argument
Creating DynamoDB Table end (creation still in progress)
usage: aws [options] [ ...] [parameters]
To see help text, you can run:

aws help
aws help
aws help
aws: error: argument --region: expected one argument
Creating Cognito Identity Pool begin...
usage: aws [options] [ ...] [parameters]
To see help text, you can run:

aws help
aws help
aws help
aws: error: argument --region: expected one argument
Identity Pool Id:
Creating Cognito Identity Pool end
/Users/Dan/Downloads/LambdAuth-master/init.sh: line 65: cd: iam: No such file or directory
rm: edit/: No such file or directory
ls: trust: No such file or directory
ls: Cognito*: No such file or directory
Setting identity pool roles begin...
Roles: {"unauthenticated":"arn:aws:iam:::role/","authenticated":"arn:aws:iam:::role/"}
usage: aws [options] [ ...] [parameters]
To see help text, you can run:

aws help
aws help
aws help
aws: error: argument --region: expected one argument
Setting identity pool roles end
ls: LambdAuth*: No such file or directory
/Users/Dan/Downloads/LambdAuth-master/init.sh: line 151: ./deploy.sh: No such file or directory
Dans-MacBook-Pro:~ Dan$

Hi

this looks cool.

I am currently trying to put an architecture together for a mobile/desktop app. Of course I would love to out the whole thing together with a serverless arch. Most of the backend work is pretty straightforward in terms of serverless services et . but when it comes to whole sign up/ login / token based authentication/ authorization I am left with so many options OAuth2/JWT/ Auth0, Cognito etc etc etc.

Would your impl help me out here you think or has it some limitations

Can you provide a policy that ensures the init.sh script can be run successfully without being blocked from using any of its dependencies?

Is there a possibility to re-send the verification mail, in case the user mistakenly deleted the first verification email?

Everything is on the title, why reset page and verification page must be in S3 Bucket ?

Error while running init.sh

botocore.exceptions.ProfileNotFound: The config profile (null) could not be found

I've checked everything in my credentials of aws cli and seem fine. But i'm getting the above error when trying to run init

Any ideas?